The information on this page represents the experience of an NBIA user. It is not meant to apply to all users.
Install OpenLdap on Ubuntu.
These instructions are based on Ubuntu 18.04. |
In a terminal window, issue the following commands:
sudo apt-get update sudo apt-get upgrade |
In a terminal window, then issue the following command.
sudo apt install slapd ldap-utils |
Modify the default Directory Information Tree (DIT) suffix by changing the DIT to fit your company's network needs. For example, dc=smab,dc=org
. To do so, issue the following command.
sudo dpkg-reconfigure slapd |
Add initial data to the LDAP database from a file and create a single entry. In a terminal window, issue the following command.
vi ldap_data.ldif dn: ou=People,dc=smab,dc=org objectClass: organizationalUnit ou: People dn: ou=Groups,dc=smab,dc=org objectClass: organizationalUnit ou: Groups dn: cn=DEPARTMENT,ou=Groups,dc=smab,dc=org objectClass: posixGroup cn: SUBGROUP gidNumber: 5000 dn: uid=nciadevtest,ou=People,dc=smab,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: nciadevtest sn: Last name givenName: First name cn: nciadevtest displayName: Name uidNumber: 10000 gidNumber: 5000 userPassword: password gecos: Whole Name loginShell: /bin/bash homeDirectory: USERDIRECTORY |
In this .ldif file, we created 2 organizationalUnit . One is People, the other is Groups.
Also add the entities for these OU. One entity is nciadevtest for the NBIA. The uid and cn must be this name. Because NBIA use cn to do the authentication be default. Some software use uid to do the authentication.
After adding these entities, we can use this command to search the exist record. You can use the network loop IP address to test or use the real IP address.
ldapsearch -x -LLL -h 127.0.0.1 -p 389 -D cn=admin,dc=smab,dc=org -w smab123456 -b dc=smab,dc=org 'uid=nciadevtest' cn givenName gidNumber Result: dn: uid=nciadevtest,ou=People,dc=smab,dc=org givenName: XIAOHUI cn: nciadevtest gidNumber: 5000 ldapsearch -x -LLL -h 69.71.4.10 -p 389 -D cn=admin,dc=smab,dc=org -w smab123456 -b dc=smab,dc=org 'cn=nciadevtest' uid givenName gidNumber Result: dn: uid=nciadevtest,ou=People,dc=smab,dc=org uid: nciadevtest givenName: XIAOHUI gidNumber: 5000 |
Final configuration. After we install the openldap and add the records. We got the LDAP server configuration below.
Title Value Base DN smab,dc=org Bind Admin admin,dc=smab,dc=org Bind Password Smab123456 User name for NBIA nciadevtest |
LDAP administrator client.
How to use Softerra LDAP Administrator
You can use LDAP client to create/delete/modify the entities with this information. Otherwise, you only have the read permission.
Troubleshooting:
NBIA LDAP settings.
1. In nbia.properties (Tomcat7.0/lib/nbia.properties)
authentication.type=ldap-auth
ldap.url=ldap://192.168.56.101:389
ldap.basedn=dc=smab,dc=org
ldap.user=CN=admin,dc=smab,dc=org
ldap.pass=smab123456
ldap.memberOf.attribute.name=isMemberOf
ldap.mail.attribute.name=mail
ldap.group.ignore.list=PwmAdmins,devTeam,nlst,testGroup
public.collection.access.group.name=General User
product.variation=NBIA
ldap.user and ldap.pass must be the administrator information of LDAP server.
3. In jaas.conf (Tomcat7.0/conf/jaas.conf)
NCIA
{
gov.nih.nci.security.authentication.loginmodules.LDAPLoginModule Required
ldapHost="ldap://192.168.56.101:389"
ldapSearchableBase="dc=smab,dc=org"
ldapUserIdLabel="cn"
ldapAdminUserName="CN=admin,dc=smab,dc=org"
ldapAdminPassword="smab123456";
};
NOTE that:
The jaas.conf is generated during the NBIA installation. The default ldapUserIdLabel is ‘cn’, which means the LDAP server will search ‘cn’ value, then compare to the login username. If the user name is exist in LDAP server, the LDAP server will do the authentication for this user.
Some LDAP server may use other field to store the login username like ‘uid’. So we have to change this value to ‘uid’ if the LDAP server use this field to store username.
ldapUserIdLabel="cn"
After changing that, we have to restart the Tomcat to take effect.